Capturing and Checking Mobile App Policies

Abstract

It can be difficult to find mobile apps that respect one’s security and privacy. Businesses rely on employees enforcing company mobile device policies correctly. Users must judge apps by the information shown to them by the store. Studies have found that most users do not pay attention to an apps permissions during installation [19] and most users do not understand how permissions relate to the capabilities of an app [30]. To address these problems and more, we present AppPAL: a machine-readable policy language for Android that describes precisely when apps are acceptable. AppPAL goes beyond existing policy enforcement tools, like Kirin [16], adding delegation relationships to allow a variety of authorities to contribute to a decision. AppPAL also acts as a “glue”, allowing connection to a variety of local constraint checkers (e.g., static analysis tools, packager manager checks) to combine their results. As well as introducing AppPAL and some examples, we apply it to explore whether users follow certain intended policies in practice, finding privacy preferences and actual behaviour are not always aligned in the absence of a rigorous enforcement mechanism.